Multi-factor authentication

Administration tools ::: tool_mfa
Maintained by Catalyst IT, Brendan Heywood, Peter Burnett, Mikhail Golenkov
This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins. https://en.wikipedia.org/wiki/Multi-factor_authentication
Latest release:
585 sites
314 downloads
48 fans
Current versions available: 2
Download

NOTE: Moodle 4.3 (and higher) include this feature in the core release - you only need this plugin if you are using an older Moodle release.

This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.

https://en.wikipedia.org/wiki/Multi-factor_authentication

Why another MFA plugin for Moodle?

There are other 2FA plugins for moodle such as:

https://moodle.org/plugins/auth_a2fa

This one is different because it is NOT a Moodle authentication plugin. It leverages new API's that Catalyst specifically implemented in Moodle Core to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow.

See this tracker and the dev docs for more info:

https://tracker.moodle.org/browse/MDL-66173

https://docs.moodle.org/dev/Login_callbacks

The other major difference is that we support multiple authentication factor types as sub plugins, eg IP Range, Email, TOTP, WebAuthn / FIDO2 and in future others such as SMS or hardware tokens or anything else as new sub-plugins. They can be flexible configured so that different combinations of factors are considered enough.

Flexible configuration

The MFA has multiple sub-plugins for each type of factor. Different factors can be combined and checked in a specific order. See the plugin readme for the full details:

https://github.com/catalyst/moodle-tool_mfa/#configuration

For more information, consult the readme:

https://github.com/catalyst/moodle-tool_mfa/

Warm thanks

Thanks to Swissbit for sponsoring the work to add WebAuthn / FIDO2 support to this plugin.

Useful links

More documentation on this plugin
Source control URL
Bug tracker

Screenshots

Screenshot #0
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5

Contributors

Catalyst IT (Lead maintainer)
View other contributions
Brendan Heywood: Solutions Architect
View other contributions
Peter Burnett: Developer
View other contributions
Mikhail Golenkov: Developer
View other contributions
Please login to view contributors details and/or to contact them

Awards

Automated testing support
Automated testing support
Privacy friendly
Privacy friendly
Early bird 4.1
Early bird 4.1

Comments

Show comments
  • serge-fabien woi
    serge-fabien woi
    Thu, 5 Oct 2023, 2:29 AM
    Good evening, I'm a Moodle student and I'd like to know if you can help me install the MFA plugin because on the link https://github.com/catalyst/moodle-tool_mfa/ it's really complicated for me to install and configure it. I use Moodle 4 and the eguru theme.
  • Zoran Jančić
    Zoran Jančić
    Mon, 9 Oct 2023, 9:21 PM
    We are using this plugin on our Moodle 4.2. IT says Moodle 4.3 has MFA in the core, but there are no instructions about migrating existing data from MFA plugin to MFA core. Will upgrade scripts automatically do it or there are some additional steps required?
  • Peter Burnett
    Peter Burnett
    Tue, 10 Oct 2023, 6:46 AM
    Hi Zoran, no migration should be required, it is the exact same plugin within core, Moodle HQ have adopted the existing plugin, so no additional work or config should be required.
  • Michael O'Callaghan
    Michael O'Callaghan
    Thu, 8 Feb 2024, 1:16 AM
    Hi, Thanks for a fantastic plugin. I'm just wondering if its possible to modify/customize the email that is sent by the MFA plugin?
  • heli g
    heli g
    Mon, 26 Feb 2024, 3:10 PM
    Please can you update the version in the Moodle plugins directory. We have encountered what looks like this bug: Using email MFA behind VPN with private-range IP addresses results in exception https://github.com/catalyst/moodle-tool_mfa/issues/444
    Thank you
  • Ezzeddin Hamed
    Ezzeddin Hamed
    Wed, 22 May 2024, 4:34 PM
    A wonderful addition to Moodle, I like it very much.

    I am trying to customize email messages using email factor, I found the customization in the language file factor_email.php, but could not find anything about the logo which I want to completely remove.

    In the language files, I could not find anything related. Is it hard coded? If so, which appears to be, would you guide me where? In which file?

    Thanks a lot,
  • Ezzeddin Hamed
    Ezzeddin Hamed
    Thu, 23 May 2024, 5:46 AM
    I reached it and modified the related mustache file.

    On the other hand, I am trying to reset authentication factors for a user, I applied all factors that are active, but the user still logs in without new factor enforcement.

    Should I consider this as a bug? I am using Moodle 4.3.3.
  • Ken Farrimond
    Ken Farrimond
    Sat, 10 Aug 2024, 12:42 AM
    Hi Catalyst Great plugin. Does it support IPv6 address for IP authentication. If not is there a workaround?
  • Hector A
    Hector A
    Wed, 14 Aug 2024, 6:50 AM
    Hi, Is there an estimate as to when the SMS feature will be available?
  • Douglas Matheson
    Douglas Matheson
    Thu, 29 Aug 2024, 1:49 PM
    Good morning,

    Is this compatible with version 4.4?
  • Ezzeddin Hamed
    Ezzeddin Hamed
    Mon, 2 Sept 2024, 9:03 PM
    I used multi-factor, one of the factors is email which is given 14 days. A specific user logs in without new verification, I want to enforce this use to login. In the database, there are 3 tables that are obvious for the "too_mfa_xxx", I removed every record in the 3 tables of the database that relates to that specific user and he still logs in without new verification code.

    How to enforce this user to have a new authentication?

    Thanks,
  • joaquin gonzalez
    joaquin gonzalez
    Tue, 15 Oct 2024, 6:33 AM
    Good afternoon, I wanted to ask a question, to install the plugin in 3.8, is it not enough to just install the plugin? I understand that you also have to configure certain parameters from the server and install a git, is that correct?
  • Teofilo Esto
    Teofilo Esto
    Fri, 22 Nov 2024, 6:46 AM
    we have enabled factor_token (Trust My Device) so that MFA will only be done once a day but couldn't seem to get it to work. is there special configuration needed? our moodle is load balanced into 4 different webservers with redis sessions and cache enabled.
  • seaghan moriarty
    seaghan moriarty
    Wed, 7 May 2025, 9:19 PM
    Dubious Question Alert:
    Above, Peter said: "Moodle HQ have adopted the existing plugin, so no additional work or config should be required".

    In the context of upgrading from Moodle 4.1 with your plugin - to Moodle 4.5:
    Should I uninstall the older plugin (if 4.5 has this in the core) - or just leave it in place?

    Thanks so much!!
  • Natasha Forder
    Natasha Forder
    Mon, 16 Mar 2026, 10:11 PM
    Hi, is there any information on the "I didn't receive a code" button? How it works? Thank you, Natasha
1 2 3 4 5
Please login to post comments